Your PCI assessment really doesn’t need to be so hard

Oct 09, 2013

Nobody wants to go through a PCI DSS assessment but if your business takes credit cards then sooner or later you are going to have to. There are plenty of technical solutions in the marketplace claiming to make compliance easier and quite of lot of guidance around achieving compliance. The focus of this article is a little different – it’s about how you can make the assessment itself go a little more smoothly and maximise your chances of success.

1. Know your own business

The first step of a PCI DSS assessment is usually identifying the scope. At its simplest, scope encompasses two elements; it is all the system components in or connected to the cardholder data environment and it is all the business processes and locations that are involved in handling cardholder data. The first flows from the second.

Unfortunately, probably every QSA has a horror story of being well along in the PCI assessment process when the client suddenly mentions something completely unexpected. For example, it could be that one of their stores doesn’t operate like all the others. In the worst case, everything that you thought had been carefully de-scoped could be brought back in scope by that one store and the whole process becomes more complicated, time consuming and costly.

It could be that a whole business area is overlooked. It sounds unlikely but it’s surprisingly easy to overlook that small subsidiary business or to forget that although you are an e-commerce business you occasionally take payments over the phone. A real life example is a company with a large vehicle fleet that has a sideline in commercial vehicle testing service at its garages. It is a tiny part of the whole business but it is also the only part that takes payments using card readers, so it introduces an entirely new area for compliance. The QSA only discovered this part of the business by chance.

Your QSA will help you define the PCI scope and probably suggest how you might reduce it but your QSA cannot know your business as well as you do. Help them to help you by identifying all your business activities and thinking about any exceptions to the main processes.

2. Appoint a project manager

Ensure that there is someone to act as the primary contact for your QSA and who can project manage your internal PCI compliance effort. A small company where the Head of ICT knows everyone personally might manage without but it’s essential in a larger company. There are two main reasons for doing this.

1. Your QSA can waste a lot of time (and QSA time is your money) trying to find out who to talk to in your company and then cold calling them to set up meetings and ask for information. Especially for a full Report on Compliance assessment, the QSA will need to collect a huge amount of evidence prescribed by the PCI Security Standards Council (PCI SSC). It can be a painful process getting such information from people who often have no direct involvement in PCI and who have a day job to get on with. It’s much more effective for someone internal who already knows their way around the company to make those requests.

2. More importantly, as you go through the PCI journey there will be things that need to be changed. It could be anything from firewall rules to service level agreements with suppliers. Your QSA can recommend but they can’t make it happen. You need someone with the authority to see that the changes are made.

3. Document everything

Requirement 12 of PCI DSS is usually seen as the documentation requirement because it requires an information security policy. A policy, incidentally, that ‘addresses all PCI requirements’ or, at least, all the ones that apply to your company. However, there is actually a lot more to documentation than that. The PCI SSC identifies documentation as one of the four evidence types that a QSA must obtain. For example, in requirement 7.2.2 the standard says that privileges must be assigned to individuals based on job classification and function. No mention of documentation there. But the evidence requirement includes identifying the documents that describe “job classifications and functions; the associated privilege assignments”. In other words, it’s not enough to show your QSA that users have restricted privileges; you must have documented all the job roles that interact with card data and what access privileges they have. Then your QSA will want to see that the access they actually have is what the documentation says they should have.

Linking this step with the one above, a useful activity for the project manager is to pull together an evidence pack of all such documentation to hand over to your QSA.

4. Use compliant service providers

Many companies think that they can avoid at lot of PCI problems by outsourcing. There is some, but not much, truth in that. You can’t outsource responsibility for your card data. If there is a breach, the card brands will come after you and you may be left relying on your contracts with your suppliers for redress. Moreover, although using a non-compliant service provider doesn’t automatically make you non-compliant it does extend the scope of your PCI assessment into the supplier. It can really test a third party relationship when you ask if your QSA can come on site to audit your supplier’s systems.

So it makes sense to use suppliers who are themselves PCI compliant but even that isn’t always straightforward. To take an example, perhaps your company uses a hosting company to manage its web servers. The hosting company claims to be PCI compliant but what does that really mean? It may just mean that their data centre has been assessed in line with PCI DSS requirement 9. In fact, quite often you find that the web hosting company actually rents space at a datacentre owned by another company and it’s that company that has been assessed as compliant just for the physical controls over the datacentre. However, if the web hosting company provides any management of your web servers then they need to have been assessed as PCI compliant for that service. Otherwise, they come back into scope for your assessment.

The moral is to use PCI compliant service providers but check that they are certified compliant with respect to the services they are providing to you. And make sure that they are contractually responsible for maintaining PCI compliance and safeguarding your data.

5. Be realistic

The last tip is about having realistic expectations. Other than for a few companies with a very simple business model, PCI is not easy. If you find yourself facing a full Report on Compliance assessment or a QSA validated self-assessment questionnaire, it will be harder than you expect. At times, it will be frustrating and nit picking and pedantic yet at the same time be full of ambiguity and judgement calls. Your QSA shares your pain!

It’s important to remember why you are doing this. It isn’t – or it shouldn’t be – just about ticking the PCI compliance boxes. It’s about securing your customers’ valuable financial data and building trust.

Very few companies undergoing assessment for the first time pass without going through significant remediation and industry reports show that most companies that pass their assessment one year fail the next in at least one respect. Applying the tips described above will help you be different from the crowd and ease the journey. Our QSAs in 7Safe focus on helping clients achieve compliance by identifying effective remediation activity and then maintaining it year on year.

To find out more about PCI DSS, or how 7Safe can help you achieve or maintain compliance, please contact us.